1. 20 Oct, 2018 1 commit
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 72b1d308
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2018-10-20
      
      Patch-Name: gssapi.patch
      72b1d308
  2. 10 Jul, 2018 2 commits
  3. 12 Sep, 2016 1 commit
    • deraadt@openbsd.org's avatar
      upstream commit · 9136ec13
      deraadt@openbsd.org authored
      Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
      use those definitions rather than pulling <sys/param.h> and unknown namespace
      pollution. ok djm markus dtucker
      
      Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
      9136ec13
  4. 22 May, 2015 1 commit
  5. 26 Jan, 2015 1 commit
  6. 08 Nov, 2013 2 commits
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/11/08 00:39:15 · 727a3bfd
      Damien Miller authored
           [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
           [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
           [sftp-client.c sftp-glob.c]
           use calloc for all structure allocations; from markus@
      727a3bfd
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2013/11/08 00:39:15 · 6c81fee6
      Damien Miller authored
           [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
           [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
           [sftp-client.c sftp-glob.c]
           use calloc for all structure allocations; from markus@
      6c81fee6
  7. 01 Jun, 2013 1 commit
    • Darren Tucker's avatar
      - djm@cvs.openbsd.org 2013/05/17 00:13:13 · a627d42e
      Darren Tucker authored
           [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
           ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
           gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
           auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
           servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
           auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
           sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
           kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
           kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
           monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
           ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
           sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
           ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
           dns.c packet.c readpass.c authfd.c moduli.c]
           bye, bye xfree(); ok markus@
      a627d42e
  8. 22 Jun, 2009 1 commit
    • Darren Tucker's avatar
      - dtucker@cvs.openbsd.org 2009/06/22 05:39:28 · 821d3dbe
      Darren Tucker authored
           [monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
           alphabetize includes; reduces diff vs portable and style(9).
           ok stevesk djm
           (Id sync only; these were already in order in -portable)
      821d3dbe
  9. 12 Jun, 2007 2 commits
  10. 30 Aug, 2006 1 commit
    • Damien Miller's avatar
      - dtucker@cvs.openbsd.org 2006/08/29 12:02:30 · 76758b64
      Damien Miller authored
           [gss-genr.c]
           Work around a problem in Heimdal that occurs when KRB5CCNAME file is
           missing, by checking whether or not kerberos allocated us a context
           before attempting to free it.  Patch from Simon Wilkinson, tested by
           biorn@, ok djm@
      76758b64
  11. 18 Aug, 2006 3 commits
  12. 05 Aug, 2006 2 commits
    • Damien Miller's avatar
      - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 · d7834353
      Damien Miller authored
           [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
           [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
           [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
           [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
           [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
           [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
           [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
           [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
           [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
           [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
           [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
           [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
           [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
           [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
           [serverloop.c session.c session.h sftp-client.c sftp-common.c]
           [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
           [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
           [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
           [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
           [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
           [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
           almost entirely get rid of the culture of ".h files that include .h files"
           ok djm, sort of ok stevesk
           makes the pain stop in one easy step
           NB. portable commit contains everything *except* removing includes.h, as
           that will take a fair bit more work as we move headers that are required
           for portability workarounds to defines.h. (also, this step wasn't "easy")
      d7834353
    • Damien Miller's avatar
      - stevesk@cvs.openbsd.org 2006/07/26 02:35:17 · 8dbffe79
      Damien Miller authored
           [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
           [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
           [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
           [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
           [uidswap.c xmalloc.c]
           move #include <sys/param.h> out of includes.h
      8dbffe79
  13. 24 Jul, 2006 2 commits
    • Damien Miller's avatar
      - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c] · b8fe89c4
      Damien Miller authored
         [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
         [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
         [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
         [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
         [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
         [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
         [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
         [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
         [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
         make the portable tree compile again - sprinkle unistd.h and string.h
         back in. Don't redefine __unused, as it turned out to be used in
         headers on Linux, and replace its use in auth-pam.c with ARGSUSED
      b8fe89c4
    • Damien Miller's avatar
      - stevesk@cvs.openbsd.org 2006/07/22 20:48:23 · e3476ed0
      Damien Miller authored
           [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
           [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
           [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
           [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
           [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
           [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
           [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
           [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
           [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
           [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
           [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
           [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
           [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
           move #include <string.h> out of includes.h
      e3476ed0
  14. 23 Apr, 2006 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2006/04/03 07:10:38 · 63e437f0
      Damien Miller authored
           [gss-genr.c]
           GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066
           by dleonard AT vintela.com. use xasprintf() to simplify code while in
           there; "looks right" deraadt@
      63e437f0
  15. 26 Mar, 2006 2 commits
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2006/03/25 22:22:43 · 51096383
      Damien Miller authored
           [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h]
           [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h]
           [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h]
           [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c]
           [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h]
           [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h]
           [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h]
           [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h]
           [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h]
           [ttymodes.h uidswap.h uuencode.h xmalloc.h]
           standardise spacing in $OpenBSD$ tags; requested by deraadt@
      51096383
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2006/03/25 00:05:41 · 07d86bec
      Damien Miller authored
           [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c]
           [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c]
           [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c]
           [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c]
           [xmalloc.c xmalloc.h]
           introduce xcalloc() and xasprintf() failure-checked allocations
           functions and use them throughout openssh
      
           xcalloc is particularly important because malloc(nmemb * size) is a
           dangerous idiom (subject to integer overflow) and it is time for it
           to die
      
           feedback and ok deraadt@
      07d86bec
  16. 25 Mar, 2006 1 commit
  17. 05 Nov, 2005 2 commits
  18. 17 Jul, 2005 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2005/07/17 07:17:55 · 0dc1bef1
      Damien Miller authored
           [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c]
           [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c]
           [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c]
           [sshconnect.c sshconnect2.c]
           knf says that a 2nd level indent is four (not three or five) spaces
      0dc1bef1
  19. 21 Nov, 2003 2 commits
  20. 17 Nov, 2003 1 commit
    • Damien Miller's avatar
      - markus@cvs.openbsd.org 2003/11/17 11:06:07 · 0425d401
      Damien Miller authored
           [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c]
           [monitor_wrap.h sshconnect2.c ssh-gss.h]
           replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
           test + ok jakob.
      0425d401
  21. 26 Aug, 2003 1 commit
    • Darren Tucker's avatar
      - markus@cvs.openbsd.org 2003/08/22 10:56:09 · 0efd155c
      Darren Tucker authored
           [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
           gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
           readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
           ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
           support GSS API user authentication; patches from Simon Wilkinson,
           stripped down and tested by Jakob and myself.
      0efd155c